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A unified framework for modeling and 
implementation of hybrid systems with 
synchronous controllers 

Avinash Malik and Partha Roop 


Abstract —This paper presents a novel approach to including non-instantaneous discrete control transitions in the linear hybrid 
automaton approach to simulation and verification of hybrid control systems. In this paper we study the control of a continuously evolving 
analog plant using a controller programmed in a synchronous programming language. We provide extensions to the synchronous 
subset of the SystemJ programming language for modeling, implementation, and verification of such hybrid systems. We provide a 
sound rewrite semantics that approximate the evolution of the continuous variables in the discrete domain inspired from the classical 
supervisory control theory. The resultant discrete time model can be verified using classical model-checking tools. Finally, we show 
that systems designed using our approach have a higher fidelity than the ones designed using the hybrid automaton approach. 

Index Terms —Hybrid automata. Synchronous languages. Semantics, Compilers, Verification, Control theory. 
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1 Introduction 

ODERN closed loop control systems consist of a 
physical process (termed the plant) controlled by a 
discrete embedded controller. The plant is a continuously 
evolving (analog) system, which is sampled by an analog 
to digital converter at specific infervals. These samples 
are fhen inpuf into the discrete controller, which makes 
decisions depending upon the control logic and feeds 
fhe resulfant outpufs back to the plant to control it. The 
continuous time nature of fhe plant and the discrete time 
nature of fhe confroller fogefher form a hybrid sysfem. 
The Linear Hybrid Automaton 111 is arguably fhe mosf 
popular approach for modeling such hybrid sysfems. A 
linear hybrid aufomafon capfures fhe confinuous evolu- 
fion of fhe planf model as firsf order ordinary differenfial 
equafions (ODEs). In every control mode of fhe discrefe 
confroller, fhe planf variables evolve according fo a sef of 
ODEs, unfil an invarianf condifion holds. As soon as fhe 
invarianf condifion is violafed, an insfanfaneous swifch 
is made by fhe confroller fo a differenf confrol mode. The 
confinuous variables in fhe plant model can now evolve 
with a new set of ODEs. Thus, fhe confroller changes fhe 
planf behavior fhrough fhis mode swifch. 

Confrol sysfems are reacfive sysfems ||2l fhaf have an 
ongoing inferacfion wifh fheir respecfive plant in terms 
of discrefe time sfeps. Af fhe sfarf of each fime sfep, fhe 
inpufs from fhe planf are capfured, a reacfion function is 
called fo process fhese inpufs, and finally fhe outpufs are 
emifted back fo fhe planf. S 5 mchronous languages such 
as Esferel lO, Lusfre lH, Signal ||5l are used exfensively 
fo implement such reactive systems, since s 5 mchronous 
programs can be translated into transition systems in 
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pol 5 momial time even with exponentially large num¬ 
ber of sfafes. Eurfhermore, model-checking of femporal 
logic specifications Q can be directly performed on 
fhese resulfanf symbolic fransifion sysfems fo guarantee 
functional and real-time properties of fhe confroller. 
S 5 mchronous languages, operafe based on fhe principle 
of synchrony hypothesis, which requires fhaf fhe reacfion 
function fakes zero fime and fhe oufpufs are produced 
insfanfaneously. 

Given fhe insfanfaneous mode swifch of fhe hybrid 
aufomafon and fhe zero delay compulation model of 
fhe S5mchronous languages; if should not be surpris¬ 
ing fhen fhaf confrollers modeled in hybrid aufomafon 
should be implemented wifh S5mchronous languages since 
semanfically, fhe discrefe sfep: mode swifch and fhe 
reacfion function in bofh models fakes zero fime. How¬ 
ever, in a real sysfem no confroller fakes zero fime. 
The synchronous language communify has addressed 
fhis problem by considering fhe worsf case reacfion 
fime (WCRT) of a s 5 mchronous program iTj- Eor a S 5 m- 
chronous confroller; fhe WCRT, which is akin fo fhe 
critical path of a program, defermines fhe infer-arrival 
fime of inpuf evenfs. Sfafically obfaining a fight WCRT 
for s 5 mchronous confrollers is a well sfudied problem |0, 
0, 0. To fhe besf of our knowledge an equivalenf 
approach fo incorporating fime-delayed mode swifches 
has nof been addressed by fhe hybrid aufomafon com¬ 
munify. Consequenfly, any resulfs obfained from a sys¬ 
fem modeled using a hybrid aufomafon has low fidelify 
i.e., does nof behave as expecfed due delays in making 
confrol decisions. 

In fhis paper our main contribution is: a powerful 
language with a precise formal semantics that allows the 
modeling, verification and implementation of non-trivial syn¬ 
chronous controllers with time-delays within their continuous 
environment. Our contributions can be refined as follows: 
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• Automatic, compiler driven, symbolic representa¬ 
tion of the hybrid systems designed in the proposed 
hybrid S 5 mchronous language called HySys}. 

• A precise formal and novel nafural semanfics for 
compilafion of hybrid sysfems. 

• The discrefe approximation of hybrid sysfem de¬ 
signed in HySysJ based on discrefe linear fime in- 
varianf sysfems from classical supervisory confrol 
fheory IITOl . 

Resf of fhe paper is arranged as follows: Section 
gives a defailed description of fhe currenf sfafe of fhe arf 
in hybrid sysfem design, highlighfing fhe deficiencies. 
Section 1^ infroduces fhe preliminaries required fo read 
fhe resf of fhe paper. We mofivafe fhe problem using an 
example in Secfion The basic language definition is 
provided in Secfion ^ which is furfher exfended wifh 
continuous fime consfrucfs and semanfics in Secfion 
The relafion of fhe proposed approach fo classical su¬ 
pervisory confrol fheory is presenfed in Secfion The 
verification procedure carried out on the motivating ex¬ 
ample in the resultant new language is given in Section]^ 
Finally, we conclude in Section 

2 Related work 

Many languages have been proposed for modeling and 
verification of Hybrid sysfems. A good survey can be 
found in lITTI . The firsf class of languages are fhe hard¬ 
ware descripfion languages enhanced wifh fhe analog 
mixed signal (AMS) exfensions, such as; VHDL-AMS 
and SysfemC-AMS 1112] , IIT^ . These languages lack any 
sorf of formal semanfics and hence, carmof be used for 
formal verification. The second class is fhe dafa-flow 
languages such as Zelus and SCADE/Lusfre 1141 , |4l , 
which approximafe fhe continuous ODEs. This approach 
of approximating the continuous ODE behavior is es¬ 
sential, because model-checking most system properties, 
including safety properties, are known to be undecidable 
for general hybrid sysfems lU. The aforemenfioned dafa- 
flow languages are also endowed wifh formal mafh- 
emafical semanfics. This conjuncfion of approximafion 
of confinuous behavior along wifh formal mafhemafical 
foundations makes fhese languages pofenfially suifable 
for model-checking. Buf, unlike us, fhe overall hybrid 
model does nof account for fhe non-zero mode-swifch 
fimes and hence, fhese programming languages suffer 
from fhe same problems as fhe hybrid aufomafa. 

Einally, fhe work closesf fo fhe one described in fhis 
article is done by: (1) Closse ef al. IITSl , where fhey exfend 
fhe Esferel language fo model timed aufomafa Hbj, i.e., 
ODEs wifh rafe of change always equal fo 1. In fhis 
proposal we are able fo model fhe more general hybrid 
rafher fhan ifs subsef timed aufomafon and (2) Baldamus 
ef al. Czl, which is a seminal work in exfending S 5 m- 
chronous imperafive languages fo model hybrid aufoma¬ 
fon. This work is exfended furfher and complefed by 
giving a formal freafmenf by Bauer ef al. lUSl . The work 
described herein differs significanfly from bofh; HTSlI 
and IITTI in fhaf fhey do nof approximafe fhe confinuous 


behavior of fhe plant, instead all discrete transitions are 
carried out and then a so called continuous phase is 
launched, which models the continuous evolution of fhe 
planf until fhe invarianf condifion holds, jusf like in 
hybrid aufomafon. Since fhese approaches derive fheir 
semanfics from hybrid aufomafon, fhey inherif fhe same 
problem described in Secfion i.e., non-zero mode- 
swifch fransifions carmof be capfured in fhe semanfics. 

Overall, fhe formal foundations of fhe modeling/im- 
plemenfafion language proposed in fhis paper are fruly 
unique, since fhe semanfics unify fhe real-time analysis 
of S5mchronous programs ||7| and fhe hybrid modeling 
languages info a single framework inspired from classi¬ 
cal supervisory confrol fheory. 

3 Preliminaries 

In fhis secfion we give fhe background informafion 
required for undersfanding fhe resf of fhe paper. 

3.1 The hybrid automaton 

We use the definition of linear Hybrid automaton 
from 111. 

Definition 1. A hybrid automaton H is a tuple 
{Loc, Var, Con, Lab, Edge, Act, Inv, Init) where 

• {Loc, Var, Con, Lab, Edge, Act, Inv, Init) is a labelled 
transition system with Loc a finite set of locations, real¬ 
valued variables Var, V the set of valuation v : Var ^ 
K, and E = Loc x V the set of states, Init C E of initial 
states. 

• A function Con : Loc —)■ 2^“’’ assigning a set of 
controlled variables to each location 

• a finite set of labels Lab, including the stutter label t e 
Lab. 

• Act (Activities) is a function assigning a set 

of activities f : K>o V to each location 

(I G Loc) which are time-invariant meaning 

that f G Act{l) implies (/ -I- f) G Act{l) where 
if + t)i't') = fit + t'),yt' G M>o 

• a function Inv assigning an invariant Inv{l) C V to 
each location I G Loc. 

• A finite set Edge C Loc x Lab x 2^ x Loc of edges 
including r-transitions {l,T,Id,l) for each location I G 
Loc with Id = {(■!;, r)')|Va: G Con{l).vfx) = r^(a;)}, and 
where all edges with label r are r-transitions. 

Definition 2. The semantics of a hybrid automaton H is 
given by the operational semantics consisting of two rules, 
one for discrete instantaneous transition steps and one for 
continuous time steps. 

• Discrete step semantics (mode-switch semantics): 

{l,a,{v,v'),l') G Edge v' G Inv(l') 

{l,v) ^ {V,v') 

• Time step semantics 

f G Actjl) /(O) = V /(f) = v' t>0 fi[0,t]) C Invjl)) 

{1,V) fG (I',V') 
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Fig. 1: The pictorial representation of the manufacturing 
control system 

An execution step —A U A of H is eifher a discrefe 
sfep or a time step. A path tt of H is a sequence tro —t 
CTi ... wifh (To = (lojVo) G Init, vq G Inv{lo), and erg —>■ 

CTi+iVz > 0. 

3.1.1 An example linear hybrid automaton 
We will use a closed loop manufaefuring sysfem example 
shown in Figure fo elaborafe fhe semantics of hybrid 
aufomafa. 

Consider fhaf we are designing an aufomafed ice¬ 
cream manufaefuring sysfem as shown in Figure The 
sysfem consisfs of two carousel belfs fhaf carry an ice¬ 
cream fo eifher Storagel or Storage2 depending 
upon fhe RFID fag on fhe ice-cream. The size of fhe firsf 
carousel is /3 x 7 unifs. A diverfer is placed af fhe end of 
fhe firsf carousel, /3 unifs from fhe sfarf. A fag reader and 
diverfer confroller (TRDC) is placed af posifion a from fhe 
sfarf of fhe firsf carousel. When fhe ice-cream is defeefed, 
fhe TRDC reads fhe fag on fhe ice-cream and fhen sends 
a confrol message fo fhe diverfer in order fo move if info 
fhe correef posifion, so fhaf once fhe ice-cream reaches 
posifion fi, if is diverfed fo fhe correef storage sfafion. 
The defection of fhe ice-cream on the first carousel is 
indicated by the emission of signal 51. Signal 52, emiffed 
from fhe TRDC, moves fhe diverfer Q arc-lengfh unifs in 
order fo divert the ice-cream to Storagel, while signal 
53 does the opposite. Furthermore, the carousel and the 
diverter move at a constant velocity of 1 . 

The hybrid aufomafon modeling fhe manufaefuring 
sysfem is shown in Figure The elemenfs of fhe fuple 
defining fhe S 5 mfax of fhe hybrid aufomafon are indi¬ 
cated in Figure for sake of undersfanding. Inifially 
fhe ice-cream and fhe diverfer are af posifion 0 , denoted 
by fhe confinuous variables x and y, respectively In 
mode A, fhe ice-cream fravels on fhe firsf carousel at 
a constant velocity of 1 until it reaches position a. As 
soon as the ice-cream reaches a, signal 51 is emitted 
with the TAG value Storagel, say. Signal 52 is emitted 
instantaneously and the hybrid automaton moves to 
mode B. In this mode, the ice-cream and the diverter, 
both move at a constant velocity until the diverter covers 
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(a) Synchronous controller control-(b) Synchronous controller tim- 
ling a plant ing diagram 

Fig. 3: An example S 5 mchronous controller and its timing 
diagram 

the distance of 6 arc-lengfh unifs. Finally, a fransifion is 
made fo mode D, where any furfher disfance until /3 is 
covered by the ice-cream and then the ice-cream moves 
onto the second carousel and is placed into the correct 
storage. 

The movement of fhe ice-cream for fhis hybrid au¬ 
fomafon assuming a = 3, /I = 10 and 0 = 6 is shown 
in Figure Assuming insfanfaneous discrefe mode- 
swifeh model of fhe hybrid aufomafon, choosing 0 = 3 
is a feasible solution as seen in Figure The ice-cream 
is defeefed at position 3 on the first carousel and an 
instantaneous move is made to control mode B where the 
ice-cream moves another 6 units ending up at position 9 
when the hybrid automaton is in mode D, which is less 
than /3 = 10. 

3.2 The synchronous controller 

Definition 3. A synchronous controller is a tuple 
{Q,qo,I,0,A,T) where: 

• Q is the set of states 

• Qo G Q is the starting state 

• I is the set of input signals 

• O is the set of output signals 

• A is the set of actions 

• T is the transition relation: T C Qx B{I) x2^ x2^ xQ. 
B{I) is a Boolean expression over the symbols in I. 

Simply put, a synchronous controller is a directed 
graph with edges carrying the labels of fhe form 
b/A', O' :b G B{I),A' C A, O' C O. Infuifively, each edge 
can be faken if fhe Boolean condition on fhe edge holds 
frue. Furfhermore, actions (functions) are performed and 
oufpuf signals emiffed upon faking fhe fransifion. 

3.2.1 The timing semantics of synchronous controllers 
Figure shows a simple example of a s 5 mchronous 
confroller confrolling a planf. The confroller's inpuf 
signal sef is {11,12} and oufpuf signals are produced 
from fhe sef {01,02}. The transition system for fhe 
confroller is also shown in Figure There are fhree 
sfafes in fhe fransifion sysfem. The initial sfafe is labeled 
SO. When signal 71 is produced from fhe planf, fhe 
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(a) The hybrid automaton modelling the manufactur- (b) The behavior of the manufacturing con¬ 
ing control system trol system as modeled by the hybrid au¬ 

tomaton 


Fig. 2: A simple carousel control system and its hybrid automaton 


controller makes a transition to state SI. In the process 
also emitting signal 01 back to the plant. Next, when 
signal 12 is produced from the plant, the controller 
makes a transition to state S2. Furthermore, the con¬ 
troller performs an acfion F and outpufs signal 02 back 
fo fhe planf. 


The fiming diagram for fhe confroller is shown in 
Figure Every S 5 mchronous confroller, following fhe 
zero delay model 121, progresses in locksfep wifh a 
logical clock fick. The inpufs are capfured from fhe planf 
af fhe sfarf of fhe logical fick, a reacfion funcfion is called 
fo process fhese inpufs (in fhis case fhe reacfion funcfion 
is fhe fransifion sysfem in Figure pa) and finally fhe 
oufpufs are produced af fhe end of fhe fick. The logical 
ficks are shown as bars in Figure 3b Af logical fick 1, 
fhe inpuf signal 71 is capfured from fhe planf, and fhe 
oufpuf signal Of is insfanfaneously produced af fhe end 
of fhe logical fick. Similarly, inpuf signal 72 is capfured 
af fhe sfarf of fick 4 and oufpuf signal is emitted back fo 
fhe planf af fhe end fhis fick - instantaneously. 


Unforfunafely, execufion of every reacfion fo fhe inpuf 
signals fakes some 5 physical time. The zero delay model 
implicifly requires fhaf fhe reacfion fo fhe inpuf signals 
be fasf enough in order fo nof miss any inpuf evenfs from 
fhe planf. In order fo satisfy fhis implicif resfricfion, we 
need fo calculafe fhe ]Norst Case Reaction Time (WCRT) 
from amongsf all fhe reacfion fimes, which needs fo be 
shorfer fhan fhe infer-arrival befween any fwo incom¬ 
ing evenfs. Formally, lef {Ji,..., i^at} be fhe sef of all 
possible reacfion fimes for some s 5 mchronous confroller. 
Then, s N, where WCRT = max{5i). WCRT of any 
S5mchronous confroller can be calculafed sfafically irre¬ 
spective of fhe planf model. Many differenf fechniques 
exisf for fhe calculafion of fhe WCRT of a S 5 mchronous 
confroller Q. 


4 The problem of time-delayed mode 

SWITCHES 


Lef us revisif fhe manufacfuring confrol sysfem example 
in Section 3.1.1 and use a S 5 mchronous language fo 
implemenf fhe TRDC confroller fhaf performs fhe discrefe 
mode swifches in Figure Since fhe lengfh (/?), fhe 
widfh (d) of fhe firsf carousel and fhe speed of movemenf 
of fhe carousel and fhe diverfer are all fixed, we only 
need fo place fhe TRDC af fhe correcf posifion on fhe 
firsf carousel so fhaf fhe diverfer is in fhe correcf posifion 
by fhe time ice-cream reaches posifion /3. Our goal is fo 
sfafically verify fhaf any ice-cream on fhe firsf carousel 
will be diverfed fo fhe correcf sforage depending upon 
ifs fag. A hybrid aufomafon should help us model fhis 
sysfem fo guaranfee fhis safety properfy. Nofe fhaf fhe 
reader should inferpref fhe ferm verify loosely, because 
fhe reachabilify problem for hybrid aufomafa are known 
undecidable 1191 . 


4.1 The hybrid automaton and the worst case reac¬ 
tion time of synchronous controiiers 

The movement of the ice-cream in the real system with 
the TRDC placed at position 3 (as obtained from the 
hybrid automaton model) is shown in Figure bottom 
graph. Every decision made by the controller does take 
some time. In case of S 5 mchronous controllers, this time 
is the WCRT. Suppose that WCRT = 2 units for the 
TRDC controller, then the ice-cream is at position 5 
when the hybrid automaton moves to mode B. Now, 
the system modeled by the hybrid automaton and the 
real implementation are not in-s 5 mc. In fact, when the 
system enters mode D, the invariant x < f does not 
hold and the transition is immediately made back to 
mode A. But, the ice-cream is already at position 11 
when the system enters mode D, which is past /3 = 10 
and hence, the ice-cream now moves to Storage2 rather 
than Storagel as desired, thereby violating the safety 
property. Overall, the model does not reflect reality and 
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stmt ::= stmto[^^\\” stmt] 
stmtf) ::= 
stmti ::= 

I “nothing” | “emit” a\ “?”a“ = ''expr 
I “pause” I “abort” “(” [“immediate”]ea;pr“)” stmt 
I “if” “(’’expr “)” stmt “else” stmt 
I “suspend” “(” [“immediate”]expr“)” stmt 
I [“input” I “output”] [type] “signal”a [op “ = ”ea;pr] 
I “loop” stmt] “{”stmt“}” 
op ::= “op+”|“op*” 

Fig. 5: The core kernel statements of the s 5 mchronous 
subset of SysfemJ. The ferminals appear wifhin double 
quofes, and angular brackefs indicafe opfional synfacfic 
componenfs. 


(a) Difference between the modeled sys-(b) Missed item tag due to WCRT^^^ discrefe transifions in fhe hybrid aufomafon wifh 
tern and the real system. differenfial equations. Buf, fhis solufion does nof bode 


Fig. 4: The differenf movemenf of fhe ice-cream - hybrid 
aufomafon model vs. fhe real sysfem 

needs fo be modified. One might assume that the transi¬ 
tion time of fhe confroller is orders of magnifude smaller 
compared fo fhe speed of movement of fhe ice-cream on 
fhe carousel and hence, can be considered as zero. This is 
a very rough approximation as indicafed in EOl . There are 
dafa acquisifion delays, sensor delays, communicafion 
delays, compufafion delays in digifal confrollers, which 
carmof be ignored wifh fhe slighf of hand. These delays 
need fo be accounfed for in fhe WCRT of fhe embedded 
confroller. 

4.2 The hybrid automaton, the worst case reaction 
time and the synchrony hypothesis 

Every s 5 mchronous program can be statically analyzed to 
find its WCRT. As mentioned before (see Section [3^ the 
S 5 mchrony h 5 qiothesis is guaranteed iff the inter-arrival 
time of input events is less than or equal to WCRT. 
For the manufacturing system example WCRT = 2, 
hence, the S 5 mchronous control logic (TRDC), in the worst 
case, samples inputs every 2 units of time. An input is 
generated when the ice cream reaches position 3 (since 
a = 3), but under the sjmchrony assumption, this input 
is missed as this input event is not aligned with the 
edge of the controller clock, i.e., it is not divisible by 
WCRT — 2 (see Figure |^. An event driven system 
would, on the other hand, easily capture this input 
event. Hence, there is an implicit assumption in the 
hybrid automaton that the control logic is event driven 
rather than clock-driven as is the case with S5mchronous 
controllers. This is yet another problem that needs to be 
addressed when designing synchronous controllers. 

The aforementioned problems occur due to the non¬ 
zero reaction time of the S 5 mchronous controllers. More 
precisely, the plant makes progress while the controller 
carries out internal computations, unlike in the hybrid 
automaton where these discrete mode-switches zero 
time. This plant behavior could be modeled by labeling 


well with the semantics of the hybrid automaton. The 
time for the discrete transition depends upon the im¬ 
plementation of the controller, which differs depend¬ 
ing upon the underlying platform, compiler technology, 
etc. Hence, if we were to simply label the discrete 
transitions with differential equations, the evolution of 
the continuous plant variables would depend upon the 
speed of the controller, which is in stark contrast to 
the semantics of the hybrid automaton 111. In light of 
these problems we need a new programming model for 
design and verification of hybrid systems. In the rest of 
the paper we present a power language called HySys} 
that: (1) results in high fidelity hybrid system models, by 
incorporating time-delayed mode switching, (2) allows 
automatically extracting controllers for implementation 
from the hybrid model and (3) allows for automatic 
formal verification of the hybrid system. 

5 The BASE LANGUAGE 

The proposed language HySysJ builds atop the S 5 m- 
chronous subset of the System) ETI programming lan¬ 
guage, which is itself inspired from Esterel ISj. The core 
kernel statements of the language are given in Eigure 
The core S 5 mchronous language constructs in Sys¬ 
tem) are borrowed directly from Esterel. The nothing 
construct terminates instantaneously and is primarily 
used in the structural operational semantics during term 
rewriting. Every signal is declared via the signal dec¬ 
laration statement. The type declaration for a signal is 
optional. A non-t 5 q)ed signal is considered to be a pure 
signal whose status can be set to true for one logical 
tick by emitting it (via emit) and is false if it is not 
emitted in that logical tick. A valued signal has a value 
and a status. Every valued signal is uniquely associated 
with one of the t 5 rpes: ratio, integer, or boolean. A 
signal can be emitted multiple times with different val¬ 
ues in the same logical tick. In such cases, signal val¬ 
ues are combined with operators defined during signal 
declaration. Only associative and commutative operators 
(e.g., op+ and op*) are permitted over signal values 
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Tick1 


1 signal S, A, B; 

2 emit S; 

3 if (S) emit A else emit B; 

4 pause 

(a) Synchronous program code snip¬ 
pet 1 


S,B 

(b) System] 
logical tim¬ 
ing behav¬ 
ior 


Tick 1 


Tick 2 


1 signal S, A, B; 

2 emit S; 

3 pause; //additional pause S A 

4 if (S) emit A else emit B; (d) System] logical 

5 pause timing behavior 

(c) Synchronous program code snip¬ 
pet 2 

Fig. 6 : SystemJ vs. Esterel logical timing behavior 

and everything must be well-typed in the expected way. 
Unlike the status of a signal, the value of a signal is 
persisfenf over logical ticks. A block of sfafemenfs can 
be preempfed or suspended for a single tick using abort 
and suspend consfrucfs, respectively The if consfrucf is 
fhe usual branching consfrucf, operating on fhe sfafus or 
values of signals. Moreover, one or more of fhe afore¬ 
mentioned statements can be run in lockstep parallel 
using the S 5 mchronous parallel operator ||. Finally, the 
loop construct is used to write temporal loops, whereby 
each iteration consumes a logical tick via the pause 
construct. 

The s 5 mchronous semantics of SysfemJ differs from 
Esferel in one significanf way: fhe emission of every 
signal is delayed by a single logical tick and is only visible 
in fhe nexf iferafion of fhe S 5 mchronous program. We 
describe fhese so called delayed signal semantics using 
simple code snippefs shown in Eigure 

Eigure shows a very simple s 5 mchronous program. 
Three pure signals S, A, and B are declared. Signal S 
is emitted and fhen ifs sfafus is checked for presence, if 
fhis signal has been emitted, fhen signal A is emitted, else 
signal B is emitted. Einally, fhe program ends wifh fhe 
pause sfafemenf indicating fhe end of fhe logical tick. 
The logical timing behavior of fhis SysfemJ program is 
shown in Eigure In SysfemJ, the emission of signal 
makes ifs visible only in fhe next logical tick, hence, 
this program emits signal B in the first logical tick. The 
logical timing behavior achieved by slightly changing 
the program (inserting an additional pause construct) is 
shown in Eigures and [ 6 d| In this case, since signal S is 
emitted in tick- 1 , its status is true in tick -2 and hence, 
SystemJ following fhe so called delayed signal semantics 
emifs signal A in fhe second fick. 

Valued signals follow rules similar to signal statuses, 
i.e., reading a value of fhe signal (e.g., IS) always gives 
fhe value from fhe previous logical fick or fhe defaulf 
value (0 usually), while setting fhe value of fhe signal 
(e.g., ?S = 2) always sefs fhe currenf value. The previous 


1 ?s = ?s + 1 

Eig. 7: Code snippef - incorrecf in Esferel, buf correcf in 
SysfemJ 

stmti ::= stmt 2 
stmt 2 ::= 

I “cont” a [op “ = ” expr\ 

I “cont” a [ “ = ” expr] 

I a = expr 

I “do“{”stmt3“}” “until” “(”ea:pr“)” 
stmts ::= 

I a“'” = expr 
I a“'” = expr[‘^\\"stmts] 

(a) The syntactic constructs for continuous variable dec¬ 
laration and manipulation 

1 signal R; 

2 abort (R) 

3 loop { 

4 a = a + p * WCRT; 

5 if ( ! TTL {[a' — p], expr, {a})) emit R; 

6 pause 

7 } 

(b) The rewrite for the derived construct: 
do {a' = p}until(efcpr)}. 

1 signal R; 

2 abort (R) 

3 loop { 

4 a = a + p * WCRT; b = b + tr * WCRT; 

5 if ( ! TTL { [a' — p. b' — a], expr, {a, 6}) ) emit R; 

6 pause 

7 } 

(c) The rewrite for the derived construct: 
do {a' = p\\b' = (j}until(errpr)}. 

Eig. 8: The continuous variables and derived construct 
operating on these variables in HySysJ 

value of the signal is updated to the current value at the 
end of the logical tick. 

This so called delayed signal semantics implicitly 
avoid plethora of problems that plague Esterel programs, 
related to causality. Consider the code snippet in Eig¬ 
ure In case of Esterel, the value of signal S is fed back 
to itself in the same logical tick, and hence, in Esterel, one 
needs to check that ? S == (? S + 1), which obviously 
has no solution. But, in SystemJ, since the signal values 
are only ever updated at the end of a logical tick, the 
program in Eigure]^ is computable. 

Now that we have described the base language and 
its S 5 mtactic constructs, we are ready to introduce the 
continuous elements into the s 5 mchronous subset of 
SystemJ that will result in the new HySysJ hybrid system 
specification language. 


6 HYSYSJ - INTRODUCING CONTINUOUS TIME 
IN SYNCHRONOUS SYSTEMJ 

The most fundamental modification to the s 5 mchronous 
language described in Section is the introduction of 
continuous variables and related actions that manipulate 
these variables. Eollowing standard practice, we will first 
introduce the syntactic extensions and then describe the 
semantics. 
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6.1 Syntax of continuous actions 

The S 5 mtactic extensions to declare and manipulate the 
continuous variables are given in Figure Every con¬ 
tinuous variable is declared with the qualifier cont. 
A default value can be specified during declarafion. 
Uninifialized continuous variables fake a defaulf value of 
0. Furfhermore, a commufafive and associative operafor 
(op) can be used fo combine fhe values of fhe confinuous 
variables, jusf like in case of valued signals. The t 5 rpe of 
every confinuous variable is a ratio. 

Two forms of synfacfic exfensions are allowed for 
manipulating confinuous variables: (1) a direcf assign- 
menf fo fhe confinuous variable or use of confinuous 
variables in expressions, called instantaneous actions and 
(2) writing firsf order ODEs inside a do until (expr) 
block that evolve the continuous variables, called flow 
actions. We use primed symbols (e.g., a' = c, where c 
is some constant) to describe these first order derivatives. 
One or more such ODEs can be specified inside the do 
block. The s 5 mchronous parallel operator || is used to 
specify more than one ODE inside the do block. Every 
ODE inside the do block is evaluated simultaneously until 
the expr (the so called invariant condition) holds true. 
The until expr is required to evaluate to a Boolean true 
or false value. 


6.2 Semantics of continuous actions 

6.2.1 Instantaneous actions 


Instantaneous actions are so called, because the state¬ 
ment terminates instantaneously without consuming a 
logical tick. Examples of instantaneous actions are shown 
in Figure|9 These include; assigning a value to a continu¬ 
ous variable, reading the value of a continuous variable, 
assigning the value of the continuous variable to a 
valued signal or another continuous variable, etc. 

Continuous variables, like signals, follow delayed 
semantics. Hence, using a continuous variable in an 
expression (right hand side in case of an assignment 
statement) always gives the value from the previous 
logical tick or the default value. A new value is assigned 
to a continuous variable only at the end of the current 
logical tick. 

In Figure 10a continuous variable a is first declared, 
with a default value of 0, and then assigned a value of 
1. Next, an if else block is used to check the value of 
a. If the value of a is 1, then signal SI is emitted else 
signal S2 is emitted. The same program is presented in 
Figure |10b except that a pause statement is inserted 
after the assignment statement: a = 1 . In the first case, 
due to delayed semantics, when the value of a is read 
in the if expression, the return value is 0 (the default 
value) and hence, signal S2 is emitted. On the other 
hand, in Figure |10b| when the program flow reaches the 
i f statement, it is the second logical tick and hence, the 
value of a is 1 (assigned in the previous logical tick) thus 
signal SI is emitted. 


1 cont a = 0; //declaring a continuous variable with 

initial value 0 

2 a = 1; // assigning value 1 to continuous variable a 

3 if (a == 1) emit S; //continuous variable used in 

expression . 

4 ?S = a; //value of continuous variable a assigned to a 

valued signal. 

Fig. 9: Instantaneous actions on continuous variables in 
HySysJ 


1 signal SI, S2; //declaring pure signals 

2 cont a; //declaring a with default value 0 

3 a = 1; // assigning value 1 to continuous variable a 

4 if (a == 1) emit SI //continuous variable used in 

expression . 

5 else emit S2; 

6 pause 

(a) Code snippet 1 


1 signal SI, S2; //declaring pure signals 

2 cont a; //declaring a with default value 0 

3 a = 1; // assigning value 1 to continuous variable a 

4 pause; 

5 if (a == 1) emit SI //continuous variable used in 

expression . 

6 else emit S2; 

7 pause 

(b) Code snippet 2 

Fig. 10: Instantaneous actions on continuous variables in 
HySysJ with delayed semantics 

It is important to note that the name instantaneous 
action does not mean that the value of the continu¬ 
ous variable changes instantaneously. Every continuous 
variable changes its value only at the end of the tick. 
The name instantaneous action only implies that the 
statement itself is instantaneous and does not consume 
logical tick^ 


6.2.2 Flow actions 

The flow actions are programmed using do until blocks 
and are first order ODEs with a constant rate of change. 
In the example in Figure 11a continuous variable a is 
declared and initialized to a value of 0, which is an 
instantaneous action. Next, this variable evolves contin¬ 
uously until its value is 2 inside a do until block. In 
the next example, two variables; a and b evolve together 
until the invariant condition (until expression) holds. One 
can also combine multiple such flow actions together 
in s 5 mchronous parallel (Figure |lld| . Finally, HySysJ 
also allows preempting flow actions using the standard 
preemptive constructs from the base language. 

6 .2.2.1 Semantics and intuitive explanation for simple 
flow actions: In this section we describe the rewrite 
semantics of simple flow actions and give the intuitive 
explanation for these rewrites. A complete formal treat¬ 
ment is provided in Appendix 

Consider the simple flow action in Figure [TTa] variable 
a evolves linearly with time until it reaches the value 
2. The first order ODE in Figure |lla has the solution: 
a = fix dt = lxt + C, where 1 is the rate of change 
of a and C is the initial value of a. Furthermore, the 
until expression gives the upper bound on this indefinite 


1. Every statement, except for pause in HySysJ is instantaneous 















1 cont a = 0; 

2 do {= 1} until (a <= 2) 

(a) Example with one continuous 
variable 


1 cont a = 0, b = 0; 

2 do {a' = 2 I I b' = 2} until (a <= 16 && b <= 10) 

(b) Example with two continuous variables 

1 cont a = 0, b = 0; 

2 do {a^ = 1 I I b^ = 1} until (a <= 10 && b <= 6) 

(c) Another example of two continuous variables 

1 cont a = 0, b = 0; 

2 do {a^ = 1} until (a <= 10) | | do {b^ = 1} until (b <= 

6) 

(d) Example of parallel composition of flow actions 


1 signal S; 

2 cont a = 0; 

3 abort (S) { do {a^ = 1} until (true) } || {pause; emit S; 

pause } 

(e) Example of preemption of continuous variable evolution 


Fig. 11: Examples of continuous actions in HySysJ 

integral. For this very simple flow action, the upper 
bound of the indefinite integral is 2. Hence, the value 
of a is: a = [f]g + C = 2 + C. From Figure 11a we also 
know that the initial value of a is 0 , i.e., C = 0 ,.'. a = 2 . 


pk fc-1 

/ p X df + C = p X At + a[0] (1) 

•^0 n=0 

fe-i 

.-. a[k] = a[0] + '^ P>^ WCRT (2) 

n—0 

The main idea of our rewrite is to approximate the 
continuous evolution of a using a discrete time model. 
Equation Q gives this approximation. We take advan¬ 
tage of the S 5 mchronous nature of our programming 
language. Every HySysJ program proceeds in discrete 
logical ticks, the value of variable a at tick 0 (the initial 
value) is denoted a[0]. Similarly, for some tick n, the 
value is denoted by a[n]. In Equation Q, At is the time 
between two discrete logical ticks, which is the WCRT as 
stated in Section |3.2| and can be computed statically for 
any HySysJ program ||9l. p is the rate of change, which is 
always a constant for any linear ODE. Finally, the upper 
bound of the summation (fc — 1 ) is dependent upon the 
until expression. 

Equation obtained from Equation Q is clearly a 
bounded reduction on a (using sum), which in any 
imperative language is written using a bounded loop. 
Hence, our rewrite for any linear ODE is a bounded 
temporal loop computing the value of the continuous 
variable as shown in Figure]^ In Figure|^the temporal 
loop performing reduction on a spans from lines 
to The actual reduction is performed on line This 
temporal loop is exited using a combination of emit and 
abort constructs as shown on lines and Finally, the 
upper bound k is Equation |j^ is computed d 5 mamically 
in the rewrite using procedure TTL {Time To Live) shown 


in Algorithm In the general case it is impossible to 
statically (at compile time) compute the upper bound k 
in Equation ||^, since one can have complex invariant 
conditions specified in the until expressions and hence, 
d 3 mamically (at program execution time) deciding when 
to abort the temporal loop is the only viable option. 

Delayed semantics play a crucial role in the rewrite of 
Figure 

• Computability of the reduction: Reading the value 
of a (line always gives the value from the previ¬ 
ous tick. Writing to a succeeds only at the end of 
the logical tick, i.e., when the control flow reaches 
the pause construct on line The delayed seman¬ 
tics make the reduction computable. Moreover, the 
updated value of a is stable and observable only at 
the end of the tick following delayed semantics. 

• The TTL algorithm: The TTL algorithm, which de¬ 
cides when to abort the infinitely rurming temporal 
loop is also dependent upon the delayed semantics. 
The abort construct (line checks if the status of 
signal R is set to true in the previous logical tick 
(statuses of signals are false upon declaration), 
following delayed semantics, and if so, aborts the 
loop performing the reduction. Signal R is emitted 
inside the loop body (line |^, provided the Boolean 
value returned from the TTL algorithm in not true. 
The status of R is updated only at the end of the 
tick (line which is also completion of iteration of 
the loop). Hence, we are guaranteed that at least 
one iteration of the temporal loop will take place, 
irrespective of the invariant in the until expression. 
From Equation |j^, we know that a[fc] for some tick 
k satisfies the until invariant. Obviously, a[k — 1] 
should also satisfy this invariant condition. But, 
a\k + 1] should never satisfy the until invariant. 
Due to delayed semantics, we now know that given 
a\k — 1], a[k] will always be computed. In order not 
to reach tick fc -I- 1 (since a[k -\- 1] violates the until 
invariant) signal R should have its status set to true 
at the end of tick k. Hence, the signal R (line 1^ 
should be emitted in the program transition from 
tick fc — 1 to fc (denoted as [k — l,k)). But, during 
this program transition, we only know the value 
a[k — 1 ], which consequently means that algorithm 
TTL needs to look ahead 2 ticks {k + l — {k—1) =2) 
and return a Boolean value true if it satisfies the 
until invariant and false otherwise. If invariant 
condition is satisfied 2 ticks from now, then one 
more iteration of the loop is allowed to be carried 
out, else the loop terminates at the end of the current 
program transition. 


We use the example in Figure |lla| and its rewrite in 
Figure 12a to explain how the required TTL algorithm 
behavior is achieved. In the rest of the paper we assume 
for sake of understanding that the statically computed 
WCRT value of every HySysJ program is 2 units. The 
TTL algorithm (Algorithm ^ takes 3 inputs: (1) a list 
of ODEs (D) within one do block, (2) the until invariant 
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ALGORITHM 1: Algorithm to calculate TTL 

Input: Q: a list of ODEs from one do block 

Input: expr: the until expression 

Input: V: the set of continuous variables in Q, 

Result: a Boolean value 

2 A ^ 0; 

3 for each v in V do 

4 T ^ [i;] + 2 * get_rho (filter (Q, v)) * WCRT|Jj 

^ // Union the value t of v two ticks from 

now in set A 
s A A U {r; —^ r}; 

6 end 

7 return holds_at_delta (expr, A); 

a. |j;] is the current value of the continuous variable v. 
h. Function get_rho returns the rate of change for the continuous 
variable v. 


1 

2 

3 

4 

5 

6 

7 

8 
9 


cont a = 0; 
signal R; 
abort (R) 
loop { 

a = a + WCRT } 

if (!TTL ([a'=l], a<=2, {a})) 

emit R; 
pause 

} 

(a) Rewrite for flow action in Figure 


11a 


(a=2) 

Ticki 


(b) The timing dia- 
gram for Figure [12^ 


1 cont a = 0, b = 0; 

2 signal R; 

3 abort (R) 

4 loop { 

5 a = a + {2 * WCRT); 

6 b = b + (2 * WCRT); 

7 if ( !TTL ( [a' ^2, h' ^ 2] , 

8 a<=16 && b<=10, {a,b})) 

9 emit R; 

10 pause 

11 } 

(c) Rew rite for flow action in Fig¬ 
ure [T^ 

Fig. 12: Rewrites for the flow actions in Figure [TT] with 
WCRT = 2 

(expr), and (3) the set of continuous variables evolving in 
the do block (V). For our running example these inputs 
are shown in Figure |12a[ line Algorithm computes 
for each continuous variable from the set V its value two 
ticks from now (Algorithm line and places it into a 
set A. Finally, TTL checks if the values in set A satisfy 
the invariant conditions. In the running example, TTL, 
when called on the program transition [0, 1 ) obtains the 
|a] = 0, the current value of a as 0 (since a is initialized 
to 0). The filter function (Algorithm]^ line|^ first gets 
the ODE corresponding to variable a, in this case a' — 
1. Next, the get_rho function gets the rate of change 
from the ODE, which is simply 1 in this case. Thus, the 
computed r value isT = 2*l*2 = 4 (assuming WCRT = 
2). Thus, a [2] =4 does not satisfy the invariant a <2 and 


(a=8,b=8) 
Tick 2 


(a=4,b=4) 
Tick 1 


0 WCRT 2 WCRT 4 t 

(d) The timing dia- 
gram for Figure [l2b| 


1 cont a = 0, b = 0; 

2 signal R; 

3 abort (R) 

4 loop { 

5 b = b + WCRT; 

6 a = a + WCRT; 

7 if { !TTL ( [a ^1, b' ^ 1] , 

8 a*'=10 && b''^=6, {fi,b})) 

9 emit R; 

10 pause 

11 } 

(e) Rewrite for flow action in Fig- 
ure|llc| 



(f) Th e tim ing diagram for 
Figure |12e| 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 



b<=6, {b})) 

emit R; 
pause; 



(g) Re write for flow action in 
Figure |lld| 

Eig. 11: Rewrites for the flow actions in Eigure [TT] with 
WCRT = 2 


1 signal S; 

2 cont a = 0; 

3 abort (S) { 

4 loop { 

5 a = a+WCRT; 

6 loop pause 

7 } 

8 } I I {pause; emit S; pause} 

(i) Rewrite for flow action in Fig- 
ure|lle| 


a 



(i) The timing diagram for 
Figure |lli| 


Eig. 10: Rewrites for the flow actions in Eigure [TT] with 
WCRT = 2 


hence, signal R is emitted in the transition [0,1) itself. The 
resultant timing behavior of the rewrite in Eigure |12a| is 
shown in Eigure [T2b| 
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6 .2.2.2 Semantics of complex flow actions: Multiple 
continuous variables evolving together can also be han¬ 
dled by the rewrites. The general rewrite for flow actions 
evolving mulfiple variables in shown in Figure The 
basic idea of bounded reduction remains fhe same. The 
only difference is fhaf each evolving variable is reduced 
sequenfially one affer fhe ofher (linej^ Figure [ 8 ^. 

Take for example, fhe flow action depicfed in Fig¬ 
ure [nbl This flow action is read as follows: continuous 
variables a and b should evolve simultaneously (hence, 
fhe 11 composifion inside fhe do block) until the invariant 
condition holds true. The rewrite and the timing behav¬ 
ior for fhis HySysJ program is shown in Figure |12c| and 
Figure 12d respectively Variables a and b, bofh evolve 


af twice fhe speed of fhe clock. From fhe until expression 
it is clear that a reaches the value of 16 when t = 8 , but 
b reaches the value of 10 at f = 5. Furthermore, given 
that WCRT = 2, the set A = {a —> 8, & —> 8} during 
the program transition [0, 2 ), but {a —> 12, b ^ 12 } in the 
program transition [2,4)/ which does not satisfy the flow 
action invariant, in turn emitting signal R, and hence, the 
program terminates at tick 2 . 


Next, we contrast the flow actions in Figures 11c 


and lid to show the difference between the S 5 mchronous 
composition within the do block and the S 5 mchronous 
composition of two do until blocks. Both these code 
snippets have the same ODE expressions. In both these 
cases, variables a and b evolve linearly and simultane¬ 
ously. However, a single invariant condition constraints 
the evolution of variables a and b in Figure |llc} while 
different invariant conditions constraint the evolution of 
a and b in Figure [TTd| The loop in Figure [T^ (the rewrite 
for Figure |llc[ l gets preempted, in turn terminating the 
program, at the third logical tick. In case of Figure |12gj 
only the second S 5 mchronous parallel reaction gets ter¬ 
minated at the third logical tick, but the whole program 
carmot terminate due to lockstep semantics of the || 
operator. Hence, the program terminates only when the 
loop in the first S 5 mchronous parallel reaction terminates: 
at tick 5. Variable b stops evolving at the end of the third 
tick, whereas a evolves until the end of the program and 
takes the value 10 . 

Until now we have only looked at examples where 
the evolution of continuous variables is constrained by 
invariant conditions akin to the hybrid automaton. Now, 
we look at an example where evolution of a continu¬ 
ous variable is interrupted by a preemption construct. 
Consider the code snippet in Figure |lle{ the flow action 
states that a should evolve linearly with the driving 
clock forever. This continuous action is encapsulated 
inside an abort construct that preempts the evolution 
of a when signal S is present. Signal S is emitted from 
a S 5 mchronous parallel reaction in the second logical 
tick. The rewrite for this code snippet is shown in 
Figure |lli| along with its timing behavior in Figure |llj| 
The until(true) invariant condition is converted into a 


2. We allow continuous actions to be encapsulated in any base 
language construct. 


(a=6) 
Tick 2 


1 cont a op+ = 1; 

2 input signal FAULT; 

3 loop { 

4 abort (FAULT) { 

5 do {a^ = 1} until (a <- 5) 

6 } 

7 a = 1; //resetting a to 1 

8 } 

(a) Example of schizophrenic code snip¬ 
pet 


(a=3) 

Ticki 


_ [fault 

0WCRT2wCRT 4 t 

(b) The timing dia- 
gram for Figure |lla| 
FAULT occurs rri the 
first logical tick. 



(c) The tim ing d iagram 
for Figure |lla| FAULT 
signal never occurs 


(d) Correct behavior after inser¬ 
tion of pause after the assign¬ 
ment statement a = 1 


Fig. 11: Schizophrenic flow actions in HySysJ 

simple loop pause blocking condition. The rest of the 
program remains the same. Signal S is emitted in the 
second tick, and responded to by the abort construct in 
the third tick, due to delayed signal semantics. The final 
observable value of a is 6 when the program terminates. 
This preemption based termination of continuous actions 
will be an important component of modeling time- 
delayed mode-switches. 


6.2.3 Schizophrenia 

Encapsulating flow actions within preemption state¬ 
ments instantaneously brings forth the question of 
schizophrenia - the possibility that a single continuous 
variable can take different values in the same logical tick. 


Consider the example code snippet in Eigure 11a 
The continuous variable a evolves until it reaches 5. 
This evolution might be preempted if a FAULT signal is 
present from the environment. Once the evolution of the 
variable is completed or preempted, a is reset and then 
evolution begins again, at least that is the expectation. 
Given that the initial value of a is 1 and it needs to 
evolve until it reaches the value of 5 (assuming WCRT 
= 2 ) the loop is bounded by two ticks. 

The timing behavior of Eigure 11a is shown in Eig¬ 
ure 11b Let us assume that the FAULT signal does occur 
in the first logical tick. Due to delayed signal semantics, 
the abort statement responds to the FAULT signal only 
in the second tick. Thus, at the end of the first tick, a 
takes the value 3. In the second program transition, [2,4), 
the evolution of the variable a stops due to preemption 
and a is assigned the value 1. But, due to the loop 
statement (line 3) the program control flow reenters the 
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do until block, thereby evolving a again in the same pro¬ 
gram transition. Thus, in the second program transition 
a has two values: 1 due to the instantaneous assignment 
statement and a = a + WCRT do to reenterance into 
the flow action. Effectively, a takes two different values 
simultaneously, this is termed schizophrenia. 

The associative and commutative combination opera¬ 
tors defined during continuous variable declaration are 
used to resolve such schizophrenic behavior. In Fig- 
a is declared with the combination operator 


ure 


11 a 


op-t-. This means, if a takes two different values in the 
same program transition, then the two values need to be 
added together and the result is the final value of a at 
the end of the tick. For the program in Figure [TTa| during 
the second program transition, a takes on two different 
values: 1 and a = 3 + 2 = 5. Recall that WCRT = 2 
and a has the value 3 from the previous tick. These two 
values are combined, via addition, together to give the 
final result of 6 at the end of the second logical tick as 
shown in Figure |llb| 


The timing behavior of the program in Figure 11a 


cont a Op+ = 
loop { 

do {= 1 
I I 


0 ; 


until (a <= 4) 


(a=5) 
Tick 2 


(a=3) 
Tick 1 


(a=5) 

Ticks 


(a=3) 
Tick 4 


(a=0) 
Tick 3 


^ 0WCRT2wCRT4wCRT6wCRT 8WCRT 10 t 

a^= 0;' //resetting to 0. (b) The timing diagram for Fig- 

pause tire |12a| 


(a) Example of simultaneous writes 
to the same continuous variable in 
HySysJ. WCRT= 2 


1 cont a op+ = 

2 do {a' = 1 I 


0 ; 


(a=4) 

Tick 1 


1} until (a <= 4) 


without fault is shown in Figure 11c This again is not 
the expected behavior, since the designer expects to reset 
a once it reaches the value 5. Thus, the expected value of 
a is 3 at the end of the third tick, but the actual value is 8. 
This unexpected behavior stems from the fact, that even 
without faults, the program reenters the do until block 
due to the loop statement in the third program transition 
- [4,6). Hence, instead of resetting the value of a to 1, 
a takes two different values: 1 and 7 simultaneously, 
which get combined via the addition operator to get the 
final result of 8. Thus, unlike in hybrid automaton, where 
reset actions instantaneously reset the value of continu- 2 
ous variables, resetting the continuous variable requires ^ 
insertion of the pause construct after the assignment 
statement in HySysJ. The behavior with insertion of a ^ 
pause statement after assignment statement a = 1 is 6 
shown in Figure |lld| 

6.2.4 Write-write semantics ^ 

Writing simultaneously to the same continuous variable 1 
in the same program transition is allowed in HySysJ. ® 
Writing simultaneously can be achieved via S 5 mchronous 
parallel composition and these simultaneous writes to^^ 
the same continuous variable are resolved using then 
same technique (combination operators) as described in 12 
Section 6.2.3 Two examples of simultaneous writes are^^ 
shown in Figures 12a and |12c| The timing behavior (see^”* 
Figure 12b| is as expected in case of Figure 12a In the^^ 
first tick, a takes the value 3, even though the initially 
condition (and subsequent reset value) is 0, due to the is 
combination operator op-|-. 

HySysJ also allows simultaneous writes within the 
same do blocks as shown in Figure 12c The algorithm 
(Algorithm needs to be modified now that simulta¬ 
neous writes to the same variable are allowed within 
the same do block. The new TTL procedure is shown in 
Algorithm 


0 WCRT 2 t 

(d) The 

(c) Example of simultaneous writes to the same timing 
continuous variable in HySysJ. WCRT=2 diagram for 

Figure |12c| 

Fig. 12: Write-write semantics in HySysJ 


ALGORITHM 2: New algorithm to calculate TTL 

Input: H: a list of ODEs from one do block 
Input: expr: the until expression 
Input: V: the set of continuous variables in Q 
Input: A4: the map from continuous variable to combine 
operator 

Result: a Boolean value 

let A ^ 0; 

for each v in V do 

j !! TL contains the rate of change 
R t— get_rhos (filter (H, n)); 

if |R| > 1 then 

r ^ (map (A_ Ivj) TZ) ; 

// Compute the value of v two ticks from 
now 

for i in 0..1 do 

// 7 is the current value of v 
// p is the rate of change of v 
T t— reduce {M.get{v), 

(map (Ap.Ag 7 -h p * WCRT) TZ T)) ; 
r ^ (map (A_ ->• [r]]) T); 
i t— i -h 1 ; 

end 

r t— reduce(A4.pei(ii), T); 

A t— A U {u —^ rj ; 

else 

r ^ I?;] + 2 * TZ.get{0) * WCRT; 

A t— A U {u —^ rj; 

end 

end 

return holds_at_delta {expr, A); 

a. One can statically check at compile time that the combine operator 
is linear 

In the modified version, a new input argument is 
required: a map from the continuous variable to its 
corresponding combine operator. The overall result of 
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Algorithm is the same Boolean value as Algorithm 
except, that combine operators are now invoked to cal¬ 
culate the value of all continuous variables, two logical 
ticks from fhe current tick, which evolve simultaneously 
within the same flow acfion. 

The new TTL procedure can be described wifh fhe 
example program code in Figure 12c Continuous vari¬ 
able a is evolving simultaneously and linearly until it 
is less than or equal to 4. In Algorithm V = {a}, 
n = [a' = l,a' = 1] and M — {a ^ -I-}. First, 
Algorithm checks if variable a is being modified by 
more fhan 1 ODE simulfaneously (line |^, which is frue 
in fhis case. The fhen branch is faken and value of t 
is calculafed as 12 (lines [6p^, fhus, A = {a —> 12}, 
which does nof safisfy fhe invarianf. Hence, fhe program 
ferminafes af end of fhe very firsf program fransifion. 

The resulfanf fiming behavior is shown in Figure |12d| 
In Algorithmic we especially need to check that combine 
operator is linear, in order to enforce compatibilify wifh 
linear hybrid aufomafon. A programmer mighf use fhe 
op* (mulfiplicafion) operator fo combine simulfaneously 
evolving confinuous variables, which models a higher 
order ODEj^ Programs combining confinuous variables 
wifh non-linear combine operator are rejected af compile 
fime. 


6.2.5 Read-write semantics 

HySysJ allows simulfaneous, using S 5 mchronous parallel 
operafor ||, reading and wrifing fo a single confinuous 
variable. Consider fhe example in Eigure 13a Confinu¬ 
ous variable a evolves linearly wifh fhe driving clock. 
Simulfaneously fhe value of a is checked in fhe if block. 
If value of a is between 0 and 2 fhen signal SI is 
emitted, else signal S2 is emitted. Eurthermore, this 
branching condition is encapsulated in a loop. This loop 
is preempted once a takes the value 5. In this case the 
(assuming again that WCRT = 2) flow acfion ferminafes 
affer 2 ticks. 


The timing behavior is shown in Eigure 13b In the 
very first program transition ([0,2)) the value of a is 
1. Since fhe confinuous variables are only updafed at 
the end of fhe current tick, the branching condition is 
satisfied and signal SI is emitted af fhe end of fhe firsf 
fick and a fakes fhe value 3. In fhe second program fran¬ 
sifion ([2,4)) fhe branching condifion is again satisfied, 
again signal SI is emitted and af fhe end of fhis fick 
a fakes fhe value 5. Af fhe sfarf of fhe nexf fransifion, 
fhe flow invarianf does nof hold, and hence, in fhe fhird 
fransifion, signals R and S2 are emitted. Variable a also 
slops evolving furfher. Einally, fhe program ferminafes 
affer tick 4, due to delayed signal semantics. 

Simultaneous reading and writing of confinuous vari¬ 
ables works in HySysJ due fo fhe delayed semantics. 
Simulfaneous read-wrife on confinuous variables would 
need fo be rejected if reading fhe value of a confinuous 
variable would read the currently evolving value, which 

3. Higher order DDEs resulting from multiplication operator can be 
accommodated into HySysJ, but we leave this as future work. 


1 signal SI, S2, R; 

2 cont a = 1; 

3 abort (R) { 

4 {do {a^ = 1} until (a <= 5) ; emit R} 

5 I I 

6 {loop {if (a>=0 && a <= 2) emit SI else emit S2; 

pause }} 

7 } 

8 pause 

(a) Example of simultaneous read-write in HySysJ 


a 






(a=5) (a=5) (a=5) 


Tick 2 


Ticks 

Tick 4 

(a= 

3) 




Tick 1 








R 



S1 

SI 

S2 



“WCRT^WCRT^WCRT® WCRT® ' 

(b) Tim ing behavior for Fig¬ 
ure |l^ 


Eig. 13: Example of read-wrife semantics on continuous 
variables in HySysJ. Assume that WCRT=2 

is undefined (and unsfable) during fhe program fransi¬ 
fion. A confinuous variable only fakes a defined (and 
sfable) value af fhe end of ficks. 

7 Determining the value of WCRT for 

THE DISCRETE PLANT MODEL 

The rewrife semantics approximate fhe planf model in 
fhe discrefe-fime domain. This raises fhe question - what 
should be the value of WCRT? 

The besf approximafion would be fo allow WCRT 
fo approach zero, which is equivalenf fo performing a 
definife infegrafion on a confinuous function, repre- 
senfing fhe planf, as is done in fhe hybrid aufomafon. 
Anofher approach is fo use zero crossing^ and using 
non-sfandard analysis as is done in hybrid dafa-flow 
languages IITH , Il22l . Buf, bofh fhese approaches do nof 
(and cannof) consider the time taken for discrefe confrol 
fransifions. We fake a differenf approach fo defermining 
fhe value of WCRT, which is fighfly related fo fhe 
definifion of observability in classical supervisory confrol 
fheory. 

Consider a linear, time invariant (LTI), discrete-time 
planj^in the state space form as shown in Equation |j^. 
The status of fhe planf as observed by fhe discrefe 
confroller is shown in Equation |j^ where x{k) £ K", 
y{k) £ R^, n and p are fhe lengfh of fhe x and y 
vecfors, respecfively. and are consfanf mafrices of 
appropriate dimensions. Then fhe observabilify mafrix 
0(Ad,Cd) is defined in Equation Classical confrol 
fheory sfafes fhaf one can learn everything abouf fhe 
d 3 mamical behavior of fhe planf by using only fhe 
observabilify mafrix wifh fhe condifion fhaf fhe rank of 
O is n. 

4. Rougbly speaking, zero crossing is an event occuring during tbe 
integration of an ODE, wben some expression changes sign from 
negative to positive. 

5. Every hybrid automaton models a liner time-invariant plant in the 
continuous-time domain. But, now that we have discretized the plant, 
we can use a linear discrete-time invariant system. 

6. In our case, due to delayed semantics. Equation [d is actually: 
y{k -I- 1) = Cdx(fc) 
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x(fc + 1) = Aix(fc), x(0) = xq (3) 

y(fc) = Cdx(fc) (4) 

0(Arf,Crf)=[ Cd CdAd CdA^ ... C<jA2“^ (5) 

The definition of observability matrix is obtained via 
equating the inductive definition of the plant model in 
Equation ||^ to the observed outputs in Equation Q. 
Thus, this derivation of the so called observability matrix 
holds iff the time taken by the discrete control transition 
is equal to the resolution of the discrete plant model. 
Hence, WCRT of plant is equal to the WCRT of the controller. 

Intuitively, plant does not really have a WCRT, since 
it is a continuous function. We discretize the plant with 
the WCRT value equal to the one calculated for the 
controller, independent of the plant model, in order 
to adhere to the classical LTI discrete-time supervisory 
control theory. 

8 The manufacturing system revisited 

We can now revisit the manufacturing control system 
described in Section and design it in HySysJ. Eur- 
thermore, we verify two properties that are violated in 
the hybrid automaton model of this closed loop control 
system: (1) the TRDC controller is placed in the correct 
position so that it can always observe the passage of 
the ice-cream on the first carousel and (2) the non¬ 
zero mode-switch time is correctly accounted for in 
the control system so that the ice-cream is routed to 
the correct storage. The first property is related to the 
Observability criteria in the classical LTI discrete-time 
supervisory control theory and the second is its dual; 
the Controllability criteria. We will emit an ERROR signal 
if either of the property is violated. The verification tool 
then simply needs to guarantee that there is no path in 
the system that reaches the state with emission of the 
ERROR signal. This reachability test can be performed 
on a symbolic transition system generated from the base 
SystemJ language, as all HySysJ statements are rewritten 
into SystemJ, based on the formal semantics presented 
in Appendix ??. 

8.1 Synchronous parallel composition of the piant 
and the controiier 

Eigure [T4a| shows the HySysJ program implementing the 
closed loop control system. There are two S 5 mchronous 
parallel reactions: the first is the controller and the 
second is the model of the plant itself. Before delving 
into the details, we give an intuitive justification for a 
S5mchronous composition of the plant model and the 
controller. 


x{k + l) = Adx{k)+ Bdu{k), x(0) = xo (6) 


1 { 

2 // The controller 

3 int signal SI, S2, S3 op+ = 0; 

4 signal DONE; 

5 loop { 

6 abort (SI) loop A: pause; 

7 if (?S1 — 1} { 

8 ?S2 = 1; emit S2; 

9 abort (DONE) loop B: pause 

10 }; 

11 else { 

12 ?S3 = 1; emit S3; 

13 abort (DONE) loop C: pause 

14 } 

15 ?S2 = 0; ?S3 = 0; 

16 } 

17 } I I { 

18 // The plant 

19 cont X ,y; signal ERROR; 

20 loop { 

21 do {x^ = 1} until (x <= a); 

22 if (x == a) { 

23 ?S1 = 1; emit SI; 

24 abort (S2 || S3) 

25 do {x^ = 1} until (true); 

26 if{S2) 

27 do {x^ = 1 I I y^=l} until (y <= 9) 

28 else 

29 do {x' = 1 II y'=-l} until (y >= 0); 

30 if (x < /3) { 

31 do {x^ = 1} until (x <= /3); 

32 X = 0; emit DONE; 

33 } else emit ERROR; 

34 } else emit ERROR; pause 

35 } 

36 } 

(a) The manufacturing system in HySysJ 



(c) Timing behavior with a = 2,(d) Timing behavior with a = 1, 
WCRT=2 WCRT=1 


Eig. 14: The manufacturing system implemented in 
HySysJ and its timing behavior 

x(A:) S K" to some desired final state x(fci) = x/ in 
finite number of time steps fci < oo, iff the controlla¬ 
bility matrix has rank n. Instead of the controllability 
criteria, we right now are more interested in the state 
transition system as presented in Equation ||^. Observe 
that the whole control system (represented by vector 
x), which includes the controller state and the plant 
state always make a transition together to the next state 
depending upon the current state and the current input 


WCRT WCRT 


(b) Timing be¬ 
havior with a = 
3, WCRT=2 


Consider the classical LTI discrete-time control system 
in Equation (|^ in the state space form. The vector u takes 
the control system from some initial state x(0 ) = xq. 


7. Of course, in our case, the plant responds to previous input rather 
than the current input, i.e.. Equation 1^ is time-shifted, because of 
delayed semantics. But, the controllability criteria still remains the 
same. 
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This simultaneous transition of the plant state and the 
controller state implies a S 5 mchronous product (a la the 
II composition) of fhe planf and fhe confroller sfate 
fransifion sysfems. 


8.2 Observability 

We firsf verify fhaf every ice-cream on fhe firsf carousel 
can be defecfed by fhe TRDC in fhe manufacfuring 
sysfem from Section Figure |14bj shows fhe fiming 
diagram for fhe confrol sysfem assuming WCRT=2 and 
a = 3. When fhe program sfarfs, fhe confroller is in sfafe 
A (line 
af line 


^ waiting for signal SI. The invarianf condition 
2 l] does nof hold affer fhe firsf tick, and hence, 
after x takes the value 2, the if statement is checked in 
the program transition: [2,4). Of course, fhe if condifion 
does nof hold (recall fhaf a = 3), and fhe ERROR signal 
is generated. 

Thus, placing TRDC at 3 units from fhe sfarf of fhe firsf 
carousel leads fo violation of fhe observabilify criferia, a 
resulf fhat was nof defecfed in fhe hybrid aufomafon 
model. Nexf, we verify confrollabilify criteria of our 
manufacfuring sysfem. 


8.3 Controllability 

Figures [l4c| and |l4d| show the timing behavior with a = 
2/WCRT=2, and a = l/WCRT=lms, respectively. The 
observability property is not violated in either case, since 
the position of TRDC is exactly divisible the WCRT in 
both cases. But, the controllability criteria is violated in 
Figure |14c| 

Upon observing the ice-cream, signal SI is emitted 
with the correct TAG value: 1 in Figure 14a| The con¬ 
troller responds to this emission in next tick by emitting 
signal S2. But, unlike the hybrid automaton, the ice¬ 
cream on the first carousel keeps on moving and reaches 
position 6 (in the third tick). This movement of the ice¬ 
cream due to time-delayed mode-switch is modeled on 
line 25 which can only be preempted by the abort con¬ 
struct waiting for emission of signal S2 or S3. The rest 
of the program behaves similar to the hybrid automaton 
in Figure Once the diverter moves 6 arc-length units 
(recall that 6 = Q), x is already 12, i.e., the ice-cream is 
past the end of the first carousel (recall that /3 = 10) and 
diverted to the incorrect storage station. Thereby, again 
emitting signal ERROR in tick 7. 

A possible configuration that results in correct control 
behavior is: placing TRDC at position 1, and with a 
WCRT = 1 as shown in Figure |14d| 


9 Conclusions 

In this paper we have presented an extension of the lin¬ 
ear hybrid automaton approach to simulation of hybrid 
systems by including non-instantaneous discrete control 
transition. Our solution is to approximate the hybrid 
model in the discrete domain and preempting the evo¬ 
lution of the continuous variables at the well established 


discrete points in time. We have proposed new con¬ 
structs in the s 5 mchronous subset of the SystemJ lan¬ 
guage to model, simulate, and verify the hybrid systems 
with non-instantaneous control transitions. Furthermore, 
the sound rewrite semantics described in the paper can 
be used to build symbolic transition systems, which can 
be verified using classical model-checking tools. As a 
result of this work, we were able to identify faults in 
a real hybrid manufacturing control system that could 
not be found using simulation of classical linear hybrid 
automaton model. 
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Appendix A 

Proof for the rewrite semantics 

In this section we discuss the correctness criteria for the 
rewrites described in Section [6.2.21 

A.1 Correctness of the flow action rewrite - dis¬ 
cretizing the piant 

We have given a rewrite semantics for fhe flow acfions 
in Figure Every flow action is converfed info a loop 
wifh a reduction function on fhe confinuous variable. We 
prove fhe correcfness of fhis rewrife using discrefizafion 
of derivafives in Lemmas [T] and |2] 

Lemma 1. Given a' = p, a[n -I- 1] = a[n] + p x WCRT, 
where a[n] is the value of a at tick n. 

Proof: 

da a{t -b A) — a{t) 
dt A 

a(t -b A) — a{t) 


let, t = A X n and writing a[n] = a(A x n), we gef: 

a(A X (n -b 1)) — a(A x n) = A x p 
.'. a[n -b 1] = a[n\ -b p x A 


PLACE 

PHOTO 

HERE 


Avinash Malik 


Finally, in our case, A = WCRT hence: 

a[n -b 1] = a[n] p x WCRT 

□ 

Lemma 2. Given a[0], a[k] = a[0] -b J2n=o P ^ WCRT. 

Proof: Follows from fhe inducfive definifion of 
a[n -b 1] in Lemma □ 

Lemma gives fhe approximafion of a derivafive info 
fhe discrefe time domain. Every S 5 mchronous program 
is clock-driven by definifion, and hence, from Lemma 
for any tick n-bl the valuation of fhe confinuous variable 
a, i.e., a[n + 1] is dependenf upon fhe currenf value 
a[n]. Furfhermore, given fhe inifial value a[0], fhe value 
of fhe confinuous variable af some tick k is given by 
Lemma which is a reduction: a bounded summafion 
on p X W CRT added fo fhe inifial value. Every bounded 
summafion is wriffen as a bounded loop and hence, fhe 
rewrife holds. 

Nexf, is fhe question abouf finding fhe bound (or 
equivalenfly k) in Lemma In fhe rewrifes, fhis bound 
is calculafed by fhe algorifhms compufing fhe TTL. The 
TTL algorifhms are evaluafed af program execufion time. 
In general, one carmof defermine fhe number of loop 
iferafions (equivalenfly k) af compile time, because fhe 
value of k depends upon fhe valuafion of fhe confinuous 
variable, since fhe invarianf condifions are specified on 
fhe valuafion of fhe confinuous variables rafher fhan 
being bounded on fime as in definife infegrals. The 
proposed TTL algorifhms only ever look-ahead 2 logical 
ticks fo bound fhe loop. We need fo show fhaf fhis 2 fick 
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look-ahead is sufficient to guarantee that the proposed 
rewrites never violate the invariant conditions. 

Lemma 3. Given invariant condition (expr) of the flow 
construct holds at a[0], it is necessary that a[0] -l-p x WCRT 
satisfies the invariant. 

Proof: Follows from the observation that preemption 
is always delayed by 1 tick and hence, the flow acfion 
will be execufed for af leasf 1 fick. □ 

Remark. The invariant condition should always hold when 
we first enter the rewrite, i.e., a[0] always satisfies the 
flow invariant by definition. Moreover, the flow action, from 
Lemma will always be executed at least once. Every con¬ 
tinuous variable is updated only at the end of the tick, hence, 
the WCRT value needs to be small enough so that at the end 
of the first tick, a[0] -I- p x WCRT does not violate the flow 
invariant. 

Theorem 1. Given invariant condition (expr) of the flow 
construct holds at a[ 0 ] it is sufficient to show that invariant 
does not hold at a[ 2 ]/or the rewrite to be correct. 

Proof: Follows from Lemma [^and inducfion on fhe 
sfrucfure of fhe rewrife in Figure^ Observer fhaf in fhe 
very firsf iferafion (program fransifion from fick 0 fo fick 
1 ) of fhe loop, a[ 0 ] is fhe programmer specified inifial 
value or fhe defaulf value of continuous variable a. The 
reduction sfafemenf compufes fhe value a[l] and updafes 
a wifh fhis value af fhe end of fhe fick. For fhe nexf 
iferafion, following sfrucfural inducfion, a[ 0 ] is now fhe 
value a[l] compufed in fhe lasf fick. Thus, for any loop 
iferafion, represenfing fhe fransifion from fick n fo n -|- 1 , 
a[ 0 ] holds summation of fhe pasf n — 1 fick values, from 
fhe sum in Lemma in a[0]. From Lemma we know 
fhaf a[0] -I- p X WCRT should always hold, and hence, if 
follows fhaf a[n] + p x WCRT should also hold, which 
means we only need fo look 2 ticks ahead fo bound fhe 
femporal loop. 

□ 


